This last part of the 4 part series on SAP IDocs will wrap up the series on Integrating SAP using the SAP IDoc Snaps by looking at the communication between the SAP IDoc Snaps and the SAP system and how to secure it using Secure Network Communication (SNC) between the two. We will look at adding the SAP libraries required for SNC to the nodes of your Groundplexes, go over generating and sharing the certificates needed on both sides, and show you what JCO parameters to set to use SNC when connecting to the SAP system.
Pre-Requisites for Secure Network Communication (SNC)
To secure the communication between your Groundplex and the SAP system, you are required to download SAP cryptographic libraries and add them to each node of your Groundplex. The download requires an SAP Service User (S-User) with the authority to download software from SAP on the SAP for ME pages. Once on the page, click Services & Support on the left-hand menu, click the Download Software tile, and choose INSTALLATIONS & UPGRADES on the next screen. Choose By Alphabetical Index (A-Z) -> C in the list that appears. Navigate to SAP CRYPTOGRAPHIC SOFTWARE -> SAPCRYPTOLIB and then COMMONCRYPTOLIB 8. Select your operating system and then download the latest *.SAR file containing the libraries.
Additionally, you'll need the SAP version of tar called 'sapcar ', which you can find under Download Software on the SAP for ME software center pages. It's important to note that you should use the search field inside the Download Software page to find it, not the one at the top of the page.
Add and configure the libraries on your GroundPlex nodes.
To keep this blog concise, we are going to explain the process on a Linux-based node, but it should be easy enough to translate the process to Windows-based nodes.
If you have multiple nodes in your Groundplex setup, we recommend uploading the files to only one node first, performing the entire configuration there, and then distributing all files to the rest of the nodes.
Once you have the *.SAR and the SAPCAR*.EXE file on the node, ssh into the node, and switch to the root user to simplify the configuration. Create a directory for the files under /opt/sapsnc and move both files into the newly created folder; navigate into the directory, and then use the sapcar tool to unpack the files by running the following commands:
$> mkdir -p /opt/sapsnc
$> mv *.SAR SAPCAR* /opt/sapsnc
$> ./spacar -xvf <SAR-filename>.SAR
Inside the archive, you will find the libsapcrypto.* library and the sapgenpse command-line tool. The libsapcrypto.* file is the cryptographic library, while the sapgenpse tools manage security information such as public and private keys, certificates, and trust lists in personal security environment (*.pse) files.
We suggest you also rename the SAPCAR*.EXE to sapcar and make it an executable.
$> mv SAPCAR*.EXE sapcar
$> chmod 754 sapcar
The next step is making the SAP JCo libraries delivered with your Groundplex aware of the cryptographic library. To do so, you need to create an OS environment variable that is seen by your Groundplex installation. There are many ways to achieve this, but the simplest one is to add the environment variable to the /etc/environment file on each node and then restart the JCC process.
$> echo "SECUDIR=/opt/sapsnc" >> /etc/environment
Once the process is restarted, you can use the sapgenpse tool to generate the *.pse file.
$> sapgenpse gen_pse -v -p SGP.pse
Got absolute PSE path "/opt/sapsnc/SGP.pse".
Please enter PSE PIN/Passphrase: ********
Please reenter PSE PIN/Passphrase: ********
get_pse: Distinguished name of PSE owner: CN=SGP, OU=IT, O=SnapLogic, C=US
Supplied distinguished name: "CN=SGP, OU=IT, O=SnapLogic, C=US"
Creating PSE with format v2 (default)
succeeded.
certificate creation... ok
PSE update... ok
PKRoot... ok
You will be asked for a PIN/Passphrase for the file that will be created and for the distinguished name of the PS owner. The distinguished name should follow your company standards for X.509 Distinguished Names. When the program is done generating the pse, you will see a file with the name you specified.
The next step requires you to export the client certificate from the pse file you just generated and import it into the SAP system. The command will ask for the PIN/passphrase of the SGP.pse file and then export the client certificate to the SGP.crt file.
$> ./sapgenpse export_own_cert -v -p SGP.pse -o SGP.crt
Opening PSE "/opt/sapsnc/SGP.pse"...
No SSO credentials found for this PSE.
Please enter PSE PIN/Passphrase: ********
PSE (v2) open ok.
Retrieving my certificate... ok.
Writing to file (PEM-framed base64-encoded)... ok.
Download the newly created SGP.crt file and import it into your SAP system via the SAP Gui. You can import the client Certificate via Transaction STRUSTSSO2. First, open the Node SNC (SAPCryptolib) in the tree on the left. Click on 'Import certificate', set the file format to Base64 in the popup screen should it have the option and choose the file.
Once uploaded, you will see the certificate details in the Certificate section in the middle of the screen. Now switch to edit mode using the Edit Mode button at the top and then the Add to Certificate List button to add the certificate to the list of known certificates.
Just like you added the Groundplex client certificate to the SAP system, you now must add the SAP system's client certificate to the Groundplex. To do so, you must first download the client certificate from the SAP system, then upload it to the Groundplex node you used to generate the Groundplex PSE file and add the SAP system's client certificate to the PSE file.
To export the SAP client certificate from transaction STRUSTSSO2, double-click the Subject name in the Own Certificate section; this will make the client certificate show up in the Certificate section further down. You can then use the Export Certificate button to export the certificate. In the download popup, select Base64 as the file format and download the certificate.
The last step is to upload the SAP client certificate to your Groundplex node and add it to the Groundplex pse file.
./sapgenpse maintain_pk -v -a S4H.crt -p SGP.pse
Opening PSE "/opt/sapsnc/SGP.pse"...
No SSO credentials found for this PSE.
Please enter PSE PIN/Passphrase: ********
PSE (v2) open ok.
retrieving PKList
Adding new certificate from file "S4H.crt"
----------------------------------------------------------------------------
Subject : CN=S4H
Issuer : CN=S4H
Serialno : 0A:20:23:06:15:07:17:01
KeyInfo : RSA, 2048-bit
Validity - NotBefore: Thu Jun 15 07:17:01 2023 (230615071701Z)
NotAfter: Fri Jan 1 00:00:01 2038 (380101000001Z)
KeyUsage : none
ExtKeyUsage : none
SubjectAltName : none
----------
PKList updated (1 entries total, 1 newly added)
After adding the SAP client certificate to the pse file, we have to create a file called cred_v2 to securely give the SAP Snaps access to the PSE without providing the password. To do so, use the command:
./sapgenpse seclogin -p SGP.pse -O root
running seclogin with USER="root"
creatingcredentials for yourself (USER="root")...
Please enter PSE PIN/Passphrase: ********
Added SSO-credentials for PSE "/opt/sapsnc/SGP.pse"
If your Groundplex has multiple nodes, you must now distribute the entire /opt/sapsnc directory to each node and set the SECUDIR environment variable before you can continue to configure SNC for your SnapLogic SAP Accounts.
Configuring the SAP JCo Accounts in SnapLogic to use SNC
On the SnapLogic side, SNC is configured inside the SAP Jco Account as Advanced JCo Client Properties. The minimum parameters that you need to use are as follows:
- jco.client.snc_mode, Enables/disables the use of Secured Network Communications (SNC).
- The default value is set to 0; Possible values are 0: Not activated, 1: Activated
- jco.client.snc_partnername, sets the Distinguished name of the SAP system proceeded by p:
- The SAP Application Server’s SNC name can be found in the snc/identity/as profile parameter
- jco.client.snc_myname sets the Distinguished Name of the GroundPlex proceeded by p:
- jco.client.snc_lib, sets the path to the library which provides the SNC service.
Depending on your needs, you can set additional parameters like:
- jco.client.snc_qop sets the security level of the secured network connections. The default value is set to 3; possible values are 1: Authentication only, 2: Integrity protection, 3: Privacy protection, and 8: Use the value of the SAP Application Server parameter snc/data_protection/use.
- jco.client.snc_sso will configure the connection to use the client certificate as the password for the user specified.
- The default value is set to 1; Possible values are 0: Single Sign-On protocol disabled, 1: Single Sign-On protocol enabled. If you intend not to use the client certificate but want to use the specified password, you must explicitly set this value to 0.
It is important to know that if you want to use the Client Certificate as the user's password, it must not be configured as a system certificate in the SAP server. In the next paragraph, we will describe how to check if it is configured.
Looking at the different options for SNC inside the SAP system
To use SNC, it is important to know that the SAP system must be configured for it. In this blog, we will not discuss how this is done as we assume that your SAP team has already done this. You should ask them for the configuration settings they have made to make the configuration on the SnapLogic side accordingly. To do so, we briefly discuss your options in SAP for SNC and Single Sign-On based on SCN. The profile parameters that will dictate how clients are allowed to connect to the SAP system are:
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
Here, the parameter snc/accept_insecure_rfc is important to us. If the value is set to 0, the system will reject unprotected external RFCs, 1 will allow the system to accept all unprotected RFCs, and U will allow the system to accept unprotected external RFCs for those users who have the appropriate flag set in their user master record.
If we look at the user master record in SAP transaction SU01, we have the option to specify the distinguished name of the client certificate for the user to use. If the snc/accept_insecure_rfc parameter is set to 0, you must specify the distinguished name of a client certificate for each user who wants to log on to the SAP system. Naturally, this client certificate has to be added to the configuration in transaction STRUSTSSO2, as we have done previously.
If the snc/accept_insecure_rfc is set to U, you can specify the Distinguished Name but also use the Allow password login for SAP GUI (user-specific) option, as shown in the screenshot, to allow login via password.
Also, check SAP transaction SNC0 to ensure the client certificate is not listed as a certificate for Access Control (ACL) for Systems. If this is the case, you will either have to remove the certificate from this list, or you will not be able to use this client certificate as a password. You must either change your jco.client.snc_myname to a different certificate or switch to password logon by setting jco.client. snc_so to 0.
